Analysis Date2013-12-17 01:49:23
MD5c8d199ef72488cb9c87dd96bd53ce463
SHA1f78d7ffebb3af25d939a31b4feb5f6de51c85c9a

Static Details:

PEhash1f17a7eea2aadd978b98d41fde44175fceb3682d
AVavgPSW.Generic12.PWE
AVaviraTR/Dropper.Gen
AVmcafeePWS-Zbot.gen.oj

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\32dc_appcompat.txt
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 992 -e 152 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 992 -e 152 -g

Network Details:


Raw Pcap

Strings
@@,<
040904B0
,1qjk}
@@"4
5.00.0454
*\AD:\ytftfytfytfy\REeB.vbp
asecfrgvtfd
B4GFDB
CompanyName
dd/MM/yyyy
Dino1
Dino1.exe
DsHc8nePM7f
DUzUyA
e651A8940-87C5-11d1-8BE3-0000F8754DA1
eIpyrZ2vhEP
FileVersion
HIBj
InternalName
mpolkiujhy
Negyhhopgr
OriginalFilename
pNjj3fn5
ProductName
ProductVersion
PZsJ1jHHn
rA133F000-CCB0-11d0-A316-00AA00688B10
StringFileInfo
,T.&^>
Translation
VarFileInfo
VS_VERSION_INFO
]?-X6
yb48XO
ysz3B
YtqYQyF4k1H
|||____
0-4"oP
1a.Z*qmw0+
228}#1.
2uCx:	
3<@*<0Z
3:5("	
5<;1g1
5WNL3R
"?<;8"
";81q 
-893D-mpilui
8N:5(	
9SN:5	
a/5K$3!Fr
AOXYFW_
Ar$G(S
astllesbwaybeih
A{x :0
.b+`A4lYu
BoundText
	bQduD
]bS'G?
bYWTTPLI<<Ic
(cH5Ce
CloseHandle
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Program Files (x86)\Microsoft Visual Studio\VB98\vbc22608.oca
CreateFileW
CtxtParentDate
`.data
DataCombo
DataCombo1
~DataCombo1
DataList
DataList1
DBwpTo
DefWindowProcA
d^l`2a'%c
DllFunctionCall
DTPicker
DvvlAq
@~eLkU
Euz[xk
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
Frame1
FreeLibrary
gEi]cQ,
GetModuleFileNameA
GetModuleHandleW
GetProcAddress
gHEi@mh
 G#Kco
Hd1;Fo;E
hH7,De
|||_hhh
I6ADayE
IU#YF%
	j8G6_p
JdZ>I_
jnhytgbvf
\JnIoxK
kernel32
kernel32.dll
kernel32.DLL
]]]?KKK?KKK?[qu?v
}k T|0
lNegyhhopgr
LoadLibraryW
l~t5$l
L>T<Z_
MBg)n(
mpilui
MSCOMCT2.OCX
MSComCtl2
MSComCtl2.DTPicker
MSDataListLib
MSDataListLib.DataCombo
MSDataListLib.DataList
MSDATLST.OCX
MSVBVM60.DLL
=>n8VG
Negyhhopgr
Negyhhopgrftukdfg56789dfghjk78Negyhhopgrlo)
N$Fd~qu]
ojalja
OpenProcess
ouiouiou
;,p2nZn
ProcCallEngine
Process32First
Process32Next
PropertyPage
PropertyPage1
pr`UmmXk
qC:\Program Files (x86)\Microsoft Visual Studio\VB98\vbc30554.oca
QCzi6x/
QeZLQcd
Q;.n42
=*=-r-
ReadFile
ReferencUserControl1
RowMember
RowSource
RtlMoveMemory
s!1<^<
S=G6Y'A
SystemParametersInfoA
TerminateProcess
;Tg%Gp
!This program cannot be run in DOS mode.
txr?/&j
txtParentDate
}UiZAI
up<	1R
|`Up|wk
user32.dll
UserControl
UserControl1
uSJ4`.
Ux1VM>
:~]VB 
VBA6.DLL
__vbaExceptHandler
WriteProcessMemory
xyZVmqw
+>'`-y
:Y1pW`
Ygggv&
Yggvv1)bnje5
Ygt]M,jnnnjI
YLXjPqGKw
Y}wiRT:2}
yyyobbb
*Z{O X*
 z]w@^j'
:Zx8`_